On Thu, 18 Apr 2013, Art Manion wrote:
: What caused me to reconsider was the idea of more and more active CNAs.
: Now, MITRE is careful to hand out modest allocations of IDs, generally
: sequentially, to dozens(?) of CNAs. I don't think there's much waste.
:
: What I wanted to future-proof is the world with more CNAs (100s?) with
: more assignment authority (like a modulo slice or big sequential block
: of the year's CVE ID space). In this world, there still may still not
: be more than 1M CVE IDs published per year, but there may be more than
: 1M CVE IDs allocated to CNAs. Allocation != publication.
This is a fair point. I do not know a lot about how CNAs run other than
the overall process. I certainly hope that a CNA is not granted a big pool
unless they demonstrate they need it. Such a demonstration should only be
valid if they actually issue that many valid CVEs, and request more during
the same year.
: Another future scale issue: Automated ways to find vulnerabilities
: could overwhelm the current 10K/year human-scale size of the problem.
That is the primary example Carsten Eiram and I offer. A system where an
automated code analysis tool can essentially auto-assign a CVE for each
one found. We know the current state of this would mean an incredible
number of false positives, so I can't see anyone arguing that CVE should
ever move away from some level of manual review for assignment.
Unless a company demonstrates a scanner that is > 90% accuracy, that
absolutely should not happen. Even then, if we're seeing a CVE assigned to
every valid vulnerability, no matter what the exploitation criteria are,
then we're also ignoring the current policy of grouping similar
vulnerabilities in similar versions. That also works against the argument
we're putting forth saying "maybe 1MIL can be reached".
In 14 years, we have a single example of a non-MITRE CNA issuing a
significant number of identifiers, and that is Kurt Seifried of RedHat.
Even with the *incredible* amount of hours he spends on it, he too has
said "I can't keep up in some situations". This is no insult to him by any
means, it is a basic truth. When Debian gave him a list of several hundred
vulnerabilities without an ID, he said "yeah, not happening" and asked
they be posted individually to oss-sec for consideration. When I gave
Steve Christey / MITRE a list of ~ 260 vulnerabilities from January 2013
that had no identifier, he too said "not happening".
I do not blame either one, but it illustrates the current model of CVE,
and illustrates the problem with manpower and identifier assignment. 14
years and no 10k barrier breached, with CVE and CNAs saying "we can't keep
up" moving forward, and the project actually moving into a position to
assign about the same number as previous years, if not less. I don't see a
1MIL scenario happening unless CVE changes policy completely. If they do,
then CVE also becomes entirely worthless and I don't care what barrier
they hit, because most of the industry would drop them quick.